Why refresh CSRF token per form request?Okay, but i have to note in the examples and paper you've listed a theoretical attacker could measure the CPU clock time very precisely. The machine was under no other load, and many languages use precalculated hashcodes for string comparison before performing a character by character check.

Using skype for an attack+1 Skype works peer to peer and in my experience I've always been able to see the hostname the ISP assigned to the person on the other end. ( For group calls you can see that of the host of the group call. )